L2TP Large-Scale Dial-Out per-User Attribute via AAA
First Published: March 16, 2012
Last Updated: November 20, 2014
This feature makes it possible for IP per-user attributes to be applied to a Layer 2 Tunneling Protocol (L2TP) dial-out session.
Feature Specifications for L2TP Large-Scale Dial-Out per-User Attribute via AAA
|
|
|
|
12.2(15)T |
This feature was introduced. |
Cisco IOS Release XE 3.9S |
In Cisco IOS XE Release 3.9S, support was added for the Cisco CSR 1000V. |
|
Cisco 7200, Cisco 7400 |
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Restrictions for Using L2TP Large-Scale Dial-Out per-User Attribute via AAA
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature does not support the following features associated with L2TP dial-out:
- Dialer Watch
- Dialer backup
- Dialer redial
- Dialer multiple number dial
- Callback initiated by an L2TP network server (LNS), the Bandwidth Allocation Protocol (BAP), and so on
Information About L2TP Large-Scale Dial-Out per-User Attribute via AAA
To configure the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature, you need to understand the following concept:
How the L2TP Large-Scale Dial-Out per-User Attribute via AAA Feature Works
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature makes it possible for IP and other per-user attributes to be applied to an L2TP dial-out session from an LNS. Before this feature was released, IP per-user configurations from authentication, authorization, and accounting (AAA) servers were not supported; the IP configuration would come from the dialer interface defined on the device.
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature works in a way similar to virtual profiles and L2TP dial-in. The L2TP virtual access interface is first cloned from the virtual template, which means that configurations from the virtual template interface will be applied to the L2TP virtual access interface. After authentication, the AAA per-user configuration is applied to the virtual access interface. Because AAA per-user attributes are applied only after the user has been authenticated, the LNS must be configured to authenticate the dial-out user (configuration authentication is needed for this feature).
With the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature, all software components can now use the configuration present on the virtual access interface rather than what is present on the dialer interface. For example, IP Control Protocol (IPCP) address negotiation uses the local address of the virtual access interface as the device address while negotiating with the peer.
All Cisco IOS commands that can be configured as AAA per-user commands are supported by the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature. Following is a list of some of the commands that are typically configured on a per-user basis:
- The ip vrf forwarding interface configuration command
- The ip unnumbered loopback0 interface configuration command
- Per-user static routes
- Access lists
- Multilink bundles
- Idle timers
How to Configure L2TP Large-Scale Dial-Out per-User Attribute via AAA
This section contains the following procedures:
Configuring the VPDN Group on the LNS
You will need to configure the virtual template under the request dial-out configuration. You will also need to select the tunneling protocol and assign the virtual private dial-up network (VPDN) subgroup to a rotary group.
AAA per-user configuration is supported only on legacy dialer or dialer rotary groups and does not make sense on dialer profiles.
Be sure to configure the virtual template so that the LNS authenticates the dial-out user.
If a virtual template is not configured, L2TP dial-out per-user is not supported, but the configuration is backward compatible for all IP configurations that come from the dialer interface.
Prerequisites
The L2TP Large-Scale Dial-Out per-User Attribute via AAA feature provides additional functionality for large-scale dial-out networks and Layer 2 tunneling. It is assumed that a network is already configured and operational, and that the tasks in this document will be performed on an operational network. See the “Additional References” section for more information about large-scale dial-out networks, Layer 2 tunneling, and virtual template interfaces.
Restrictions
If the tasks in this section are not performed, the software will operate in the original mode, that is, IP per-user configurations from a AAA server will not be recognized and IP addresses will come from the dialer interface defined on the device.
To configure the VPDN group that makes it possible for IP per-user attributes to be applied to an L2TP dial-out session, use the following commands:
SUMMARY STEPS
1. enable
2. configure terminal
3. vpdn-group name
4. request-dialout
5. protocol l2tp
6. rotary-group group-number
7. virtual-template template-number
8. exit
DETAILED STEPS
|
|
|
Step 1 |
enable
Device> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Device# configure terminal |
Enters global configuration mode. |
Step 3 |
vpdn-group name
Device(config)# vpdn-group 1 |
Creates a VPDN group and starts VPDN group configuration mode. |
Step 4 |
request-dialout
Device(config-vpdn)# request-dialout |
Enables an LNS to request VPDN dial-out calls by using L2TP, and starts VPDN request-dialout configuration mode. |
Step 5 |
protocol l2tp
Device(config-vpdn-req-ou)# protocol l2tp |
Specifies the L2TP tunneling protocol. |
Step 6 |
rotary-group group-number
Device(config-vpdn-req-ou)# rotary-group 1 |
Assigns a request-dialout VPDN subgroup to a dialer rotary group. |
Step 7 |
virtual-template template-number
Device(config-vpdn-req-ou)# virtual-template 1 |
Clones the configuration from a corresponding virtual template interface, and supports IP per-user configurations from a AAA server. |
Step 8 |
exit
Device(config-vpdn-req-ou)# exit |
Exits VPDN request-dialout configuration mode. |
What to Do Next
The configuration for the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature must include a AAA profile to specify the per-user attributes. See the “Per-User AAA Attributes Profile Example” for an example of such a profile.
Verifying the Configuration on the Virtual Access Interface
This task verifies that the per-user AAA commands are successfully parsed on the virtual access interface.
SUMMARY STEPS
1. enable
2. show interfaces virtual-access number [ configuration ]
DETAILED STEPS
|
|
|
Step 1 |
enable
Device> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
show interfaces virtual-access number [ configuration ]
Device# show interfaces virtual-access 3 configuration |
Displays status, traffic data, and configuration information about a specified virtual access interface.
- configuration —(Optional) Restricts output to configuration information.
|
Troubleshooting the Configuration on the Virtual Access Interface
This task displays additional information about the per-user AAA commands that are parsed on the virtual access interface.
SUMMARY STEPS
1. Attach a console directly to a device.
2. enable
3. configure terminal
4. no logging console
5. Use Telnet to access a device port and repeat Steps 2 and 3.
6. terminal monitor
7. exit
8. debug aaa per-user
9. debug vtemplate events
10. debug vtemplate cloning
11. configure terminal
12. no terminal monitor
13. exit
DETAILED STEPS
|
|
|
Step 1 |
Attach a console directly to a device. |
— |
Step 2 |
enable
Device> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 3 |
configure terminal
Device# configure terminal |
Enters global configuration mode. |
Step 4 |
no logging console
Device(config)# no logging console |
Disables all logging to the console terminal.
- To reenable logging to the console, use the logging console command in global configuration mode.
|
Step 5 |
Use Telnet to access a Device port and repeat Steps 2 and 3. |
Enters global configuration mode in a recursive Telnet session, which allows the output to be redirected away from the console port. |
Step 6 |
terminal monitor
Device(config)# terminal monitor |
Enables logging output on the virtual terminal. |
Step 7 |
exit
Device(config)# exit |
Exits to privileged EXEC mode. |
Step 8 |
debug aaa per-user
Device# debug aaa per-user |
Displays what attributes are applied to each user as the user authenticates. |
Step 9 |
debug vtemplate events
Device# debug vtemplate events |
Displays the virtual template events to form a virtual access interface. |
Step 10 |
debug vtemplate cloning
Device# debug vtemplate cloning |
Displays the virtual template cloning to form a virtual access interface.
- Use this command to verify when the interface is created (cloned from the virtual template) at the beginning of the dialup connection and when the interface is destroyed when the connection is terminated.
|
Step 11 |
configure terminal
Device# configure terminal |
Enters global configuration mode. |
Step 12 |
no terminal monitor
Device(config)# no terminal monitor |
Disables logging on the virtual terminal. |
Step 13 |
exit
DeviceDevice(config)# exit |
Exits to privileged EXEC mode. |
Configuration Examples for L2TP Large-Scale Dial-Out per-User Attribute via AAA
This section provides the following configuration examples to show how to configure the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature:
LNS Configuration Example
The following partial example shows how to configure an LNS for the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature:
initiate-to ip 10.0.1.194.2
l2tp tunnel password 7094F3$!5^3
Per-User AAA Attributes Profile Example
The following example shows the attribute-value pair (avpair) statements for a AAA profile to specify the per-user attributes:
5300-Router1-out Password = "cisco"
cisco-avpair = "outbound:dial-number=5553021"
7200-Router1-1 Password = "cisco"
cisco-avpair = "ip:route=10.17.17.1 255.255.255.255 Dialer1 100 name 5300-Router1"
5300-Router1 Password = "cisco"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback 0"
cisco-avpair = "ip:outacl#1=deny ip host 10.5.5.5 any log"
cisco-avpair = "ip:outacl#2=permit ip any any"
cisco-avpair = "ip:inacl#1=deny ip host 10.5.5.5 any log"
cisco-avpair = "ip:inacl#2=permit ip any any"
cisco-avpair = "multilink:min-links=2"
Framed-Route = "10.5.5.6/32 Ethernet4/0"
Framed-Route = "10.5.5.5/32 Ethernet4/0"
Virtual Access Interface Configuration Verification Example
The following example shows the virtual access interface configuration so you can check that the per-user AAA commands are correctly parsed:
Device# show interfaces virtual-access 3 configuration
Virtual-Access3 is an VPDN link (sub)interface
Derived configuration : 212 bytes
interface Virtual-Access3
ip vrf forwarding V1.25.com
no peer default ip address
Virtual Access Interface Configuration Troubleshooting Example
This section provides the following debugging session examples for a network configured with the L2TP Large-Scale Dial-Out per-User Attribute via AAA feature. Output is displayed for each command in the task.
Sample Output for the debug aaa per-user Command
Device# debug aaa per-user
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
AAA/AUTHOR: Processing PerUser AV interface-config
AAA/AUTHOR: Processing PerUser AV route
AAA/AUTHOR: Processing PerUser AV route
AAA/AUTHOR: Processing PerUser AV outacl
AAA/AUTHOR: Processing PerUser AV outacl
AAA/AUTHOR: Processing PerUser AV inacl
AAA/AUTHOR: Processing PerUser AV inacl
Vi3 AAA/PERUSER/ROUTE: vrf name for vaccess: V1.25.com
Vi3 AAA/PERUSER/ROUTE: route string: IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120
Vi3 AAA/PERUSER/ROUTE: vrf name for vaccess: V1.25.com
Vi3 AAA/PERUSER/ROUTE: route string: IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120
AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access3#41
AAA/PER-USER: line = [ip access-list extended Virtual-Access3#41]
AAA/PER-USER: line = [permit icmp any any log]
AAA/PER-USER: line = [permit ip any any]
AAA/PER-USER: mode = config; command = [ip access-list extended Virtual-Access3#42
AAA/PER-USER: line = [ip access-list extended Virtual-Access3#42]
AAA/PER-USER: line = [permit icmp any any log]
AAA/PER-USER: line = [permit ip any any]
AAA/PER-USER: mode = config; command = [IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120 IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120]
AAA/PER-USER: line = [IP route vrf V1.25.com 10.1.25.10 255.255.255.255 10.1.25.20 tag 120]
AAA/PER-USER: line = [IP route vrf V1.25.com 172.30.35.0 255.255.255.0 10.1.25.20 tag 120]
*Feb 28 07:35:19.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Sample Output for the debug vtemplate events and debug vtemplate cloning Commands
Device# debug vtemplate events
Device# debug vtemplate cloning
VT[Vi3]:Reuse interface, recycle queue size 1
VT[Vi3]:Set to default using 'encap ppp'
VT[Vi3]:Added new vtemplate cloneblk, now cloning from vtemplate
VT[Vi3]:Clone Vaccess from Virtual-Template25 (19 bytes)
VT[Vi3]:Applying config commands on process "Dialer event" (25)
%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
VT:Sending vaccess request, id 0x6401947C
VT:Processing vaccess requests, 1 outstanding
VT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAA
VT[Vi3]:Clone Vaccess from AAA (60 bytes)
VT[Vi3]:ip vrf forwarding V1.25.com
VT[Vi3]:ip unnumbered loopback25
VT[Vi3]:Applying config commands on process "VTEMPLATE Background Mgr" (160)
VT[Vi3]:ip vrf forwarding V1.25.com
VT[Vi3]:ip unnumbered loopback25
VT[Vi3]:MTUs ip 1500, sub 0, max 1500, default 1500
VT[Vi3]:Processing vaccess response, id 0x6401947C, result success (1)
VT[Vi3]:Added new AAA cloneblk, now cloning from vtemplate/AAA
VT[Vi3]:Clone Vaccess from AAA (82 bytes)
VT[Vi3]:IP access-group Virtual-Access3#51 in
VT[Vi3]:IP access-group Virtual-Access3#52 out
VT[Vi3]:Applying config commands on process "PPP IP Route" (62)
VT[Vi3]:IP access-group Virtual-Access3#51 in
VT[Vi3]:IP access-group Virtual-Access3#52 out
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Additional References
For additional information related to L2TP large-scale dial-out per-user attributes using a AAA server, see to the following sections:
MIBs
|
|
None |
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
http://www.cisco.com/register
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Dial Technologies Command Reference at http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
x25 route 11111 interface Dialer0
x25 route 44444 interface Dialer0
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007–2009 Cisco Systems, Inc. All rights reserved.